CIS14: NIST and NSTIC (New Directions in Identity)
Post on 18-May-2015
321 Views
Preview:
DESCRIPTION
Transcript
Introduction
United States Department of Commerce National Institute of Standards and Technology Paul Grassi, CISSP Senior Standards and Technology Advisor, NSTIC Information Technology Laboratory 1401 Constitution Ave. NW, Rm. 2069 Washington, DC 20230 W: 202.482.8349 M: 703.786.8275 Email: paul.grassi@nist.gov
Background
Role @ NIST
Approach
Standards and Technology Landscape
Well-‐rounded pilots hi<ng diverse user set
Government adop@on
Market Discovery
ADribute Providers
Internet of Things
Consumer-‐Centric Deployment Costs
Standards Gaps
Embedded Privacy
Iden@fica@on of policy and technical overlays
NSTIC Launch
IDE Sustaining
2012 2013 2014 2015
Envision It!?
True Interoperability
NIST Coverage in Key Identity Services Key No coverage
Par@al coverage, to include other D/A documenta@on
Full coverage
Needs refreshing
Where We Will Focus in FY14/15
ü Codify privacy enhancing profiles
ü Enhance/Establish ‘standard’ to establish confidence, trustworthiness, and privacy preserva@on (zero knowledge, derived, minimal disclosure)
ü Address portability of preferred creden@als and relying party accounts
ü Revisit and retool exis@ng standards to address current market state and flex to innova@on
ü Develop new standards that increase IE par@cipa@on
ü Increase par@cipa@on in commercial open standards
ü Mobility, Cloud, Shared Services
ü Simplify, accelerate, and reduce the cost of ICAM implementa@ons
ü Focus beyond the PIV
ü Establish RP toolkits ü Iden@fy and foster
innova@on from untapped sources
ü Elevate non-‐person en@@es into the forefront of the IDE/ICAM discussion
ü Non-‐intrusive security model
ü Con@nuous monitoring and assessment
Identity Assurance – What would you think if?
De-‐coupled proofing strength from authen@ca@on strength?
NIST just measured authen@ca@on performance/strength/usability?
Got rid of LOA?
What else could we do to turn these docs on their head to enhance the IE?
Developed private sector companion to 800-‐63?
Attributes – What Needs to Happen? Iden@fy and establish market-‐enhancing aDribute best prac@ces, guidelines, and standards to communicate the veracity and trustworthiness of aDributes to relying par@es or iden@ty and
access management service or func@on.
Meta-‐ADribute
Confidence/Assurance
Liability
Security and Privacy
Governance
Exchange
Informs
Dependent Standards
Performance Metrics
Risk Tolerance
Market
ADribute Registries Focal
The Need for a Privacy Profile
Broker
Authen@ca@on Request Authen@ca@on Request
Response + Encrypted ADributes
Double Blind Architecture
Relying Party
CSP
User Consent
ADribute Provider
Response + Encrypted ADributes
1 CSP/AP can’t know the RP
2 Broker can’t see the a?ributes
3 Standard and Protocol AgnosBc
4 RP can’t know CSP
5 Minimal Changes to Infrastructure
(but we may soJen this requirement)
Contact Information
United States Department of Commerce National Institute of Standards and Technology Paul Grassi, CISSP Senior Standards and Technology Advisor, NSTIC Information Technology Laboratory 1401 Constitution Ave. NW, Rm. 2069 Washington, DC 20230 W: 202.482.8349 M: 703.786.8275 Email: paul.grassi@nist.gov
top related